github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-08 14:42:37 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
c01a9dbec1
linux/drivers
History
Ido Schimmel c01a9dbec1 thermal: Fix use-after-free when unregistering thermal zone device 
[ Upstream commit 1851799e1d ]

thermal_zone_device_unregister() cancels the delayed work that polls the
thermal zone, but it does not wait for it to finish. This is racy with
respect to the freeing of the thermal zone device, which can result in a
use-after-free [1].

Fix this by waiting for the delayed work to finish before freeing the
thermal zone device. Note that thermal_zone_device_set_polling() is
never invoked from an atomic context, so it is safe to call
cancel_delayed_work_sync() that can block.

[1]
[  +0.002221] ==================================================================
[  +0.000064] BUG: KASAN: use-after-free in __mutex_lock+0x1076/0x11c0
[  +0.000016] Read of size 8 at addr ffff8881e48e0450 by task kworker/1:0/17

[  +0.000023] CPU: 1 PID: 17 Comm: kworker/1:0 Not tainted 5.2.0-rc6-custom-02495-g8e73ca3be4af #1701
[  +0.000010] Hardware name: Mellanox Technologies Ltd. MSN2100-CB2FO/SA001017, BIOS 5.6.5 06/07/2016
[  +0.000016] Workqueue: events_freezable_power_ thermal_zone_device_check
[  +0.000012] Call Trace:
[  +0.000021]  dump_stack+0xa9/0x10e
[  +0.000020]  print_address_description.cold.2+0x9/0x25e
[  +0.000018]  __kasan_report.cold.3+0x78/0x9d
[  +0.000016]  kasan_report+0xe/0x20
[  +0.000016]  __mutex_lock+0x1076/0x11c0
[  +0.000014]  step_wise_throttle+0x72/0x150
[  +0.000018]  handle_thermal_trip+0x167/0x760
[  +0.000019]  thermal_zone_device_update+0x19e/0x5f0
[  +0.000019]  process_one_work+0x969/0x16f0
[  +0.000017]  worker_thread+0x91/0xc40
[  +0.000014]  kthread+0x33d/0x400
[  +0.000015]  ret_from_fork+0x3a/0x50

[  +0.000020] Allocated by task 1:
[  +0.000015]  save_stack+0x19/0x80
[  +0.000015]  __kasan_kmalloc.constprop.4+0xc1/0xd0
[  +0.000014]  kmem_cache_alloc_trace+0x152/0x320
[  +0.000015]  thermal_zone_device_register+0x1b4/0x13a0
[  +0.000015]  mlxsw_thermal_init+0xc92/0x23d0
[  +0.000014]  __mlxsw_core_bus_device_register+0x659/0x11b0
[  +0.000013]  mlxsw_core_bus_device_register+0x3d/0x90
[  +0.000013]  mlxsw_pci_probe+0x355/0x4b0
[  +0.000014]  local_pci_probe+0xc3/0x150
[  +0.000013]  pci_device_probe+0x280/0x410
[  +0.000013]  really_probe+0x26a/0xbb0
[  +0.000013]  driver_probe_device+0x208/0x2e0
[  +0.000013]  device_driver_attach+0xfe/0x140
[  +0.000013]  __driver_attach+0x110/0x310
[  +0.000013]  bus_for_each_dev+0x14b/0x1d0
[  +0.000013]  driver_register+0x1c0/0x400
[  +0.000015]  mlxsw_sp_module_init+0x5d/0xd3
[  +0.000014]  do_one_initcall+0x239/0x4dd
[  +0.000013]  kernel_init_freeable+0x42b/0x4e8
[  +0.000012]  kernel_init+0x11/0x18b
[  +0.000013]  ret_from_fork+0x3a/0x50

[  +0.000015] Freed by task 581:
[  +0.000013]  save_stack+0x19/0x80
[  +0.000014]  __kasan_slab_free+0x125/0x170
[  +0.000013]  kfree+0xf3/0x310
[  +0.000013]  thermal_release+0xc7/0xf0
[  +0.000014]  device_release+0x77/0x200
[  +0.000014]  kobject_put+0x1a8/0x4c0
[  +0.000014]  device_unregister+0x38/0xc0
[  +0.000014]  thermal_zone_device_unregister+0x54e/0x6a0
[  +0.000014]  mlxsw_thermal_fini+0x184/0x35a
[  +0.000014]  mlxsw_core_bus_device_unregister+0x10a/0x640
[  +0.000013]  mlxsw_devlink_core_bus_device_reload+0x92/0x210
[  +0.000015]  devlink_nl_cmd_reload+0x113/0x1f0
[  +0.000014]  genl_family_rcv_msg+0x700/0xee0
[  +0.000013]  genl_rcv_msg+0xca/0x170
[  +0.000013]  netlink_rcv_skb+0x137/0x3a0
[  +0.000012]  genl_rcv+0x29/0x40
[  +0.000013]  netlink_unicast+0x49b/0x660
[  +0.000013]  netlink_sendmsg+0x755/0xc90
[  +0.000013]  __sys_sendto+0x3de/0x430
[  +0.000013]  __x64_sys_sendto+0xe2/0x1b0
[  +0.000013]  do_syscall_64+0xa4/0x4d0
[  +0.000013]  entry_SYSCALL_64_after_hwframe+0x49/0xbe

[  +0.000017] The buggy address belongs to the object at ffff8881e48e0008
               which belongs to the cache kmalloc-2k of size 2048
[  +0.000012] The buggy address is located 1096 bytes inside of
               2048-byte region [ffff8881e48e0008, ffff8881e48e0808)
[  +0.000007] The buggy address belongs to the page:
[  +0.000012] page:ffffea0007923800 refcount:1 mapcount:0 mapping:ffff88823680d0c0 index:0x0 compound_mapcount: 0
[  +0.000020] flags: 0x200000000010200(slab|head)
[  +0.000019] raw: 0200000000010200 ffffea0007682008 ffffea00076ab808 ffff88823680d0c0
[  +0.000016] raw: 0000000000000000 00000000000d000d 00000001ffffffff 0000000000000000
[  +0.000007] page dumped because: kasan: bad access detected

[  +0.000012] Memory state around the buggy address:
[  +0.000012]  ffff8881e48e0300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  +0.000012]  ffff8881e48e0380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  +0.000012] >ffff8881e48e0400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  +0.000008]                                                  ^
[  +0.000012]  ffff8881e48e0480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  +0.000012]  ffff8881e48e0500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  +0.000007] ==================================================================

Fixes: b1569e99c7 ("ACPI: move thermal trip handling to generic thermal layer")
Reported-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-10-11 18:21:19 +02:00
..
accessibility
acpi ACPI / PCI: fix acpi_pci_irq_enable() memory leak 2019-10-05 13:09:53 +02:00
amba
android binder: fix possible UAF when freeing buffer 2019-08-04 09:30:53 +02:00
ata libata/ahci: Drop PCS quirk for Denverton and beyond 2019-10-05 13:09:52 +02:00
atm Kconfig: Fix the reference to the IDT77105 Phy driver in the description of ATM_NICSTAR_USE_IDT77105 2019-09-21 07:16:57 +02:00
auxdisplay auxdisplay: panel: need to delete scan_timer when misc_register fails in panel_attach 2019-09-06 10:21:56 +02:00
base soundwire: fix regmap dependencies and align with other serial links 2019-10-07 18:57:27 +02:00
bcma
block nbd: fix max number of supported devs 2019-10-11 18:20:46 +02:00
bluetooth Bluetooth: btrtl: Additional Realtek 8822CE Bluetooth devices 2019-10-01 08:26:12 +02:00
bus bus: ti-sysc: Simplify cleanup upon failures in sysc_probe() 2019-09-21 07:16:51 +02:00
cdrom cdrom: Fix race condition in cdrom_sysctl_register 2019-04-05 22:33:10 +02:00
char ipmi_si: Only schedule continuously in the thread in maintenance mode 2019-10-07 18:56:39 +02:00
clk clk: sprd: add missing kfree 2019-10-07 18:57:03 +02:00
clocksource clocksource/drivers/exynos_mct: Increase priority over ARM arch timer 2019-07-26 09:14:12 +02:00
connector connector: fix unsafe usage of ->real_parent 2019-03-19 13:12:38 +01:00
cpufreq cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init() 2019-08-16 10:12:46 +02:00
cpuidle
crypto crypto: ccree - use the full crypt length value 2019-10-11 18:20:55 +02:00
dax mm/huge_memory: fix vmf_insert_pfn_{pmd, pud}() crash, handle unaligned addresses 2019-05-22 07:37:40 +02:00
dca
devfreq PM / devfreq: tegra: Fix kHz to Hz conversion 2019-10-11 18:20:46 +02:00
dio
dma dmaengine: ti: edma: Do not reset reserved paRAM slots 2019-10-05 13:09:54 +02:00
dma-buf dma-buf/sw_sync: Synchronize signal vs syncpt free 2019-10-07 18:57:04 +02:00
edac EDAC/amd64: Decode syndrome before translating address 2019-10-05 13:09:48 +02:00
eisa
extcon extcon: arizona: Disable mic detect if running when driver is removed 2019-05-31 06:46:23 -07:00
firewire
firmware firmware: arm_scmi: Check if platform has released shmem before using 2019-10-05 13:09:39 +02:00
fmc
fpga fpga: altera-ps-spi: Fix getting of optional confd gpio 2019-09-21 07:16:53 +02:00
fsi fsi: scom: Don't abort operations for minor errors 2019-09-06 10:22:19 +02:00
gnss gnss: sirf: fix premature wakeup interrupt enable 2019-03-10 07:17:21 +01:00
gpio gpio: fix line flag validation in lineevent_create 2019-09-19 09:09:37 +02:00
gpu drm/amdgpu: Check for valid number of registers to read 2019-10-11 18:21:17 +02:00
hid HID: apple: Fix stuck function keys when using FN 2019-10-07 18:57:12 +02:00
hsi
hv Drivers: hv: kvp: Fix the recent regression caused by incorrect clean-up 2019-09-16 08:21:54 +02:00
hwmon hwmon: (acpi_power_meter) Change log level for 'unsafe software power cap' 2019-10-05 13:09:54 +02:00
hwspinlock
hwtracing intel_th: pci: Add Tiger Lake support 2019-09-06 10:22:18 +02:00
i2c i2c-cht-wc: Fix lockdep warning 2019-10-07 18:57:08 +02:00
ide
idle x86/cpu: Sanitize FAM6_ATOM naming 2019-05-14 19:17:53 +02:00
iio iio: adc: stm32-dfsdm: fix data type 2019-09-19 09:09:40 +02:00
infiniband IB/hfi1: Define variables as unsigned long to fix KASAN warning 2019-10-05 13:10:02 +02:00
input Input: elan_i2c - remove Lenovo Legion Y7000 PnpID 2019-09-21 07:16:41 +02:00
iommu iommu/amd: Override wrong IVRS IOAPIC on Raven Ridge systems 2019-10-05 13:09:59 +02:00
ipack
irqchip irqchip/gic-v3-its: Fix LPI release for Multi-MSI devices 2019-10-01 08:26:08 +02:00
isdn mISDN: enforce CAP_NET_RAW for raw sockets 2019-10-05 13:09:31 +02:00
leds led: triggers: Fix a memory leak bug 2019-10-05 13:09:45 +02:00
lightnvm lightnvm: pblk: fix freeing of merged pages 2019-07-26 09:14:09 +02:00
macintosh
mailbox mbox: qcom: add APCS child device for QCS404 2019-10-07 18:57:02 +02:00
mcb
md md/raid0: avoid RAID0 data corruption due to layout confusion. 2019-10-05 13:10:12 +02:00
media media: don't drop front-end reference count for ->detach 2019-10-05 13:10:05 +02:00
memory memory: tegra: Fix integer overflow on tick value calculation 2019-05-25 18:23:32 +02:00
memstick memstick: Fix error cleanup path of memstick_init 2019-07-31 07:26:59 +02:00
message
mfd mfd: intel-lpss: Remove D3cold delay 2019-10-07 18:57:08 +02:00
misc VMCI: Release resource if the work is already queued 2019-09-06 10:22:20 +02:00
mmc mmc: sdhci-of-esdhc: set DMA snooping based on DMA coherence 2019-10-11 18:21:05 +02:00
mtd mtd: cfi_cmdset_0002: Use chip_good() to retry in do_write_oneword() 2019-10-01 08:26:02 +02:00
mux
net ieee802154: atusb: fix use-after-free at disconnect 2019-10-11 18:21:07 +02:00
nfc st_nci_hci_connectivity_event_received: null check the allocation 2019-08-29 08:28:31 +02:00
ntb ntb: point to right memory window index 2019-10-11 18:21:18 +02:00
nubus
nvdimm libnvdimm/bus: Fix wait_nvdimm_bus_probe_idle() ABBA deadlock 2019-08-09 17:52:28 +02:00
nvme nvme-multipath: fix ana log nsid lookup when nsid is not found 2019-10-05 13:09:52 +02:00
nvmem nvmem: Use the same permissions for eeprom as for nvmem 2019-09-19 09:09:41 +02:00
of of: overlay: set node fields from properties when add new overlay node 2019-06-09 09:17:24 +02:00
opp
oprofile
parisc parisc: Disable HP HSC-PCI Cards to prevent kernel crash 2019-10-05 13:10:04 +02:00
parport parport: Fix mem leak in parport_register_dev_model 2019-06-25 11:35:55 +08:00
pci PCI: Restore Resizable BAR size bits correctly for 1MB BARs 2019-10-11 18:21:00 +02:00
pcmcia
perf drivers/perf: arm_pmu: Fix failure path in PM notifier 2019-08-06 19:06:55 +02:00
phy phy: renesas: rcar-gen3-usb2: Disable clearing VBUS in over-current 2019-09-21 07:16:42 +02:00
pinctrl pinctrl: meson-gxbb: Fix wrong pinning definition for uart_c 2019-10-07 18:57:00 +02:00
platform platform/x86: intel_pmc_core: Do not ioremap RAM 2019-10-05 13:09:55 +02:00
pnp
power power: supply: sbs-battery: only return health when battery present 2019-10-11 18:20:56 +02:00
powercap x86/cpu: Sanitize FAM6_ATOM naming 2019-05-14 19:17:53 +02:00
pps drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl 2019-08-04 09:30:56 +02:00
ps3
ptp
pwm pwm: stm32-lp: Add check in case requested period cannot be achieved 2019-10-11 18:21:17 +02:00
rapidio drivers/rapidio/devices/rio_mport_cdev.c: NUL terminate some strings 2019-08-06 19:06:52 +02:00
ras RAS/CEC: Fix pfn insertion 2019-07-26 09:14:05 +02:00
regulator regulator: Defer init completion for a while after late_initcall 2019-10-05 13:10:07 +02:00
remoteproc remoteproc: qcom: q6v5-mss: add SCM probe dependency 2019-09-16 08:21:48 +02:00
reset reset: meson-audio-arb: Fix missing .owner setting of reset_controller_dev 2019-05-08 07:21:47 +02:00
rpmsg
rtc rtc: pcf85363/pcf85263: fix regmap error in set_time 2019-10-07 18:57:12 +02:00
s390 s390/cio: avoid calling strlen on null pointer 2019-10-11 18:21:08 +02:00
sbus
scsi scsi: core: Reduce memory required for SCSI logging 2019-10-07 18:57:04 +02:00
sfi
sh
siox
slimbus slimbus: fix a potential NULL pointer dereference in of_qcom_slim_ngd_register 2019-05-31 06:46:14 -07:00
sn
soc soc: bcm: brcmstb: biuctrl: Register writes require a barrier 2019-07-14 08:11:03 +02:00
soundwire soundwire: fix regmap dependencies and align with other serial links 2019-10-07 18:57:27 +02:00
spi spi: spi-gpio: fix SPI_CS_HIGH capability 2019-09-16 08:22:07 +02:00
spmi
ssb ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit 2019-05-31 06:46:04 -07:00
staging media: imx: mipi csi-2: Don't fail if initial state times-out 2019-10-05 13:09:43 +02:00
target scsi: target/iblock: Fix overrun in WRITE SAME emulation 2019-09-16 08:22:17 +02:00
tc
tee
thermal thermal: Fix use-after-free when unregistering thermal zone device 2019-10-11 18:21:19 +02:00
thunderbolt thunderbolt: property: Fix a NULL pointer dereference 2019-05-31 06:46:31 -07:00
tty tty/serial: atmel: reschedule TX after RX was started 2019-09-21 07:16:45 +02:00
uio
usb usb: host: xhci-tegra: Set DMA mask correctly 2019-09-21 07:17:04 +02:00
uwb
vfio vfio_pci: Restore original state on release 2019-10-07 18:56:53 +02:00
vhost vhost: make sure log_num < in_num 2019-09-16 08:22:25 +02:00
video video: ssd1307fb: Start page range at page_offset 2019-10-07 18:56:30 +02:00
virt drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl 2019-05-16 19:41:31 +02:00
virtio virtio_pci: fix a NULL pointer reference in vp_del_vqs 2019-05-10 17:54:08 +02:00
visorbus
vlynq
vme
w1 w1: fix the resume command API 2019-05-31 06:46:14 -07:00
watchdog watchdog: aspeed: Add support for AST2600 2019-10-11 18:21:15 +02:00
xen xen/pci: reserve MCFG areas earlier 2019-10-11 18:21:13 +02:00
zorro
Kconfig
Makefile